The MGM Resorts Attack (2023)

When the slot machines stopped spinning and hotel room keys stopped working.

$100 Million in damages started by a 10-minute phone call.

🎰 The Chaos

For 10 days, Las Vegas was paralyzed. Guests couldn't enter rooms, elevators were manual, and casinos became "Cash Only."

📞 The Hack

No coding wizardry. The attackers (Scattered Spider) simply called the Help Desk and tricked them into resetting a password (Vishing).

💰 The Ransom

MGM refused to pay the ransom. This cost them money in the short term ($100M) but avoided funding the criminals.

10 Days of Darkness

Early Sept 2023

The Setup

Hackers scout MGM employees on LinkedIn. They find a target and call the IT Help Desk, pretending to be that employee who "locked themselves out."

Sept 11, 2023

The Breach

The Help Desk resets the password. Hackers gain "Super Admin" access. They deploy ransomware that encrypts the servers running hotels and casinos.

Sept 12-19, 2023

Manual Mode

Total shutdown. Hotel staff use pen and paper for check-ins. Slot machines display error messages. ATMs go dark. Guests wait hours in lines.

Oct 2023

Recovery

MGM restores systems from backups without paying the ransom. However, guest data (Names, Driver's Licenses) is leaked by angry hackers.

Technical Breakdown

1. Social Engineering (Vishing)

This is the art of manipulating people. The attackers were persuasive and used real employee data (from LinkedIn) to sound legitimate over the phone.

2. Identity Provider (IdP) Compromise

MGM used Okta for logins. Once the hackers tricked the help desk, they got "Super Admin" rights in Okta, letting them create their own keys to the kingdom.

3. ALPHV/BlackCat Ransomware

This is the software used to lock the files. It encrypts data so MGM couldn't use it, and threatens to publish the data if not paid (Double Extortion).

Traveler Defense: Surviving a Hotel Hack

Imagine arriving at your vacation, and the hotel computers are dead. Here is how to prepare for modern travel disruptions.

💵

1. Carry Backup Cash

When the MGM systems went down, credit card machines and ATMs failed. Cash was the only way to buy food or tip staff. Always travel with an emergency cash fund.

📄

2. Print Your Reservation

If the hotel can't look up your name in the computer, a printed confirmation email (or a screenshot on your phone) is your only proof that you booked a room.

💳

3. Use Credit Cards (Not Debit)

If you swipe your card during a chaotic manual check-in, errors happen. Credit cards offer fraud protection and dispute rights. Debit cards pull money instantly from your bank.

❄️

4. Post-Trip Credit Freeze

Since guest data (Driver's Licenses) was stolen, identity theft is a risk. Freeze your credit files after a breach notification to stop criminals from opening loans in your name.

Knowledge Check

Test your knowledge on the hack and how to travel safely in the digital age.